Background

Several people have indicated that they have a difficult time
justifying international travel (or even travel at all) to attend
FIRST conferences, or for time and resources spent volunteering for
FIRST. We decided to poll people at the 1998 conference and ask why
they are involved with FIRST (either by attending the conference or
through membership, or both) and how they justify the costs (time,
other resources, and especially travel costs) to their management.

Brief summary: Computer security incidents are often international
in nature. Each incident response team can assist their
constituency and coordinate with other teams to provide efficient
global response.

FIRST provides:

A forum for trusted interaction among incident response teams.

The annual conference
, which is the only event that focuses on
incident response. Education is provided through tutorials,
presentations and team to team interactions.

The FIRST technical colloquia provide a closed discussion forum
for teams to share more explicit and sensitive information with
each other.

New teams benefit from membership in FIRST by improved
communication with their peers around the globe and through the
exchange of information, ideas and practices.

The collection of FIRST teams provide expertise that covers a wide
variety of incident response and security issues.

Advantages of FIRST Membership

Member teams share more explicit and sensitive information at our
Technical Colloquia than is usually shared (at least in public) at
the annual conference.

The mailing lists provide an opportunity for us to share information
about exploits, threats, tools and techniques in a secure and
restricted forum.

Networking

The first thing that everyone said when asked was "networking": they
like FIRST because it provides an excellent opportunity to meet with
their peers - people who are involved in the international incident
response effort.

Some teams have this goal of networking as part of their mission, or
perhaps we should say, they believe in the mission of FIRST (in
part,
to promote the formation of incident response teams all over the
world), and so attendance at the conference and involvement in FIRST
is a natural part of their activities.

Other teams are interested mostly in self-improvement - their
mission isn't so much to help create teams around the globe, but
they want to be the best they can be, and an important part of that
is meeting with their peers and sharing ideas. This sharing goes
both ways - teams that are weak in one area are strong in others,
and we can benefit from one anothers strengths when we have the
opportunity to meet, compare notes, and share problems (and
solutions). The best way to do this is through meeting face to face
- the FIRST conference provide an excellent forum for this sort of
discourse.

Finally, new teams and groups that are interested in forming teams
can obviously benefit greatly from the experience of existing teams.
Involvement as a member of FIRST, and attendance at the conferences
gives new teams an opportunity to learn from the best and become an
active member of the international incident response community.

Networking - getting help

Meeting people from experienced incident response teams helps us
build contacts that we can refer to when we run into unfamiliar
problems. Through the presentations and our conversations at the
conferences, or discussions on the first-teams mailing list, we
learn
about other teams. When we need help, we can refer to those people
for assistance. Members of FIRST can also search for help through
the first-teams mailing list.

Several teams use these external contacts to identify experts that
they have invited to get involved with their constituencies in
various ways (e.g. providing consulting, giving talks). Often times
bringing in an outside authority lends extra credibility that can
convince people where we couldn't. FIRST provides an excellent
forum for finding these sorts of experts.

Networking - Trust

One of the big problems in incident response is that when we contact
someone at another site we don't know who they are and whether we
can trust them not to damage our investigation. Having a trusted
contact at a remote site can greatly help us, contacting the wrong
person can really mess things up.

FIRST helps build that trust between teams in several respects.

The conferences provide an opportunity to meet with people from
other incident response teams. through our conversations and
efforts to help one another, we build personal trust between us.

FIRST members go through an interview process of sorts, and that
lends at least a limited sort of trust to any FIRST member. When I
contact another FIRST team, even if we haven't met anyone from that
team, we know that someone from FIRST has, that they probably know
how to handle my incident at their end in a discrete and secure
fashion, and that they will probably cooperate with me to solve our
mutual incident. as we work together on incidents, we also build
more trust and credibility with one another.

Also, we often need to contact organizations that have not been
involved with FIRST. we haven't met them, their incident response
team (if they even have one) isn't a FIRST member, we don't know
whether we should communicate with them or not. we can often
contact regional incident response teams who are FIRST members
(e.g. a national team) to solicit their advice, or even just ask
around FIRST to see whether anyone also has had dealings with that
group before. FIRST can help us find and build trusted contacts
with non-FIRST teams, and to avoid disclosing sensitive information
to suspicious groups.

Networking - an indirect benefit

There is also a hidden but important benefit of involvement in
FIRST. Active participation in FIRST directly helps accomplish the
mission of FIRST - the formation of a global incident response
community. Many Internet security incidents are global in nature.
As we increase the number of experienced teams, and increase
coverage of the Internet, the quality and efficiency of global
incident response will rise.

Bridging gaps, raising awareness

The FIRST conferences provide a unique means for the incident
response community to interact with the law enforcement community.
This helps us form and maintain mutual understanding, respect and
trust. Since many incident response teams interact with law
enforcement groups on a regular basis, this helps us to work
together more effectively.

FIRST also helps incident response teams to understand one another.
Although we share common goals and problems, there are significant
differences between the teams for software vendors, Internet service
providers, colleges and universities, military groups, national
teams and commercial teams. Through networking and presentations we
can learn more about both the problems and solutions we hold in
common, as well as gain mutual understanding. This facilitates
cooperation and helps alleviates frustration when we try to work
together.

Education/Training

The annual conferences provide excellent tutorials and presentations
that help us advance in our own education and to stay abreast of
new threats and developments in the security world.

The FIRST Technical Colloquia (available to FIRST members only)
provide additional opportunities for us to share sensitive
information with one another.

Incident response teams share information about threats, exploits,
incident response tools and techniques through contact at the
conference, and through the technical colloquia and mailing list.

Attendance at FIRST events
can be a productive part of training new
team members - bring them along, let them associate with other
incident response personnel and develop their own network of
contacts, in addition to learning a lot. It also gives other teams
a chance to meet the newer members of your team.

Best conference for our needs

There are other security conferences. Some provide limited training
in incident response, but none of them address the specific needs of
incident response teams. FIRST is only group focusing specifically
on incident response and incident response teams.

The USENIX Security Symposium is focused more on "security
research". The value of FIRST is that the focus is on real world
incident response experiences - what are other teams doing that I
can learn and apply now?

Involvement with FIRST lends credibility to our separate teams

FIRST is the "premier organization for the international incident
response community". Involvement in FIRST lends credibility to our
teams, especially for teams that join FIRST as members. This has
helped at least one team tremendously in its outreach efforts to
local businesses.

Internet security is an international problem, and needs an
international involvement to address it.

You may need to contact another IRT outside your country to address
an incident at your site. Knowing who you are working with before
you contact them in an emergency is a great help, and can result in
more effective and efficient coordination and interaction. It is
important to raise the profile of your team in the international
incident response community to establish these contacts. Attendance
at the FIRST conferences, especially in locations that are
geographically removed from us, is the most effective way to do
this. It is especially useful for meeting teams from the area where
the conference is located, which you might never meet otherwise.

Incident response teams are (mostly) isolated - we are spread all
over the globe, and most don't have teams nearby to consult with on
a regular basis. FIRST provides a unique forum for us to break
through the barriers that separate us and meet together.

International travel isn't necessarily more expensive than other
travel. Compare the costs.

A concern for many teams in the U.S.A. is that international travel
is perceived as a "vacation". Travel for a conference in Mexico or
Bristol (or Australia) isn't any more of a vacation than is travel
to San Diego or Baltimore.

Other:

From a consulting firm: our clients are setting up incident response
teams. We'd like to help them (and help them get involved with
FIRST, we hope!)

Management likes to be on top of things. Involvement with FIRST is
one step they can take to help ensure that their team will be among
the best. When someone asks what they are doing to ensure that
their company is on top of things with regard to incident response,
they can say that they are actively involved with FIRST, the premier
incident response forum in the world.

One respondent worked attendance at the FIRST conference into their
job as part of their benefits package when they signed on.

Some groups list involvement with FIRST as a mission-critical part
of their job.